The use of sprintf with format string here means that there is a risk that the writes will go out of bounds, replace it with scnprintf. In on_action_public_default the variable "cnt" isn't being used for anything meaningful so remove it. Signed-off-by: Candy Febriyanto <cfebriyanto@xxxxxxxxx> --- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 3 +-- drivers/staging/rtl8723bs/core/rtw_pwrctrl.c | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c index fa4b0259c5ae..3443a5764c50 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -2084,7 +2084,6 @@ static unsigned int on_action_public_default(union recv_frame *precv_frame, u8 a u8 *frame_body = pframe + sizeof(struct ieee80211_hdr_3addr); u8 token; struct adapter *adapter = precv_frame->u.hdr.adapter; - int cnt = 0; char msg[64]; token = frame_body[2]; @@ -2092,7 +2091,7 @@ static unsigned int on_action_public_default(union recv_frame *precv_frame, u8 a if (rtw_action_public_decache(precv_frame, token) == _FAIL) goto exit; - cnt += sprintf((msg+cnt), "%s(token:%u)", action_public_str(action), token); + scnprintf(msg, sizeof(msg), "%s(token:%u)", action_public_str(action), token); rtw_cfg80211_rx_action(adapter, pframe, frame_len, msg); ret = _SUCCESS; diff --git a/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c b/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c index 5b05d1eaa328..c9f4a18b24b9 100644 --- a/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c +++ b/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c @@ -554,7 +554,7 @@ void LPS_Enter(struct adapter *padapter, const char *msg) /* Idle for a while if we connect to AP a while ago. */ if (pwrpriv->LpsIdleCount >= 2) { /* 4 Sec */ if (pwrpriv->pwr_mode == PS_MODE_ACTIVE) { - sprintf(buf, "WIFI-%s", msg); + scnprintf(buf, sizeof(buf), "WIFI-%s", msg); pwrpriv->bpower_saving = true; rtw_set_ps_mode(padapter, pwrpriv->power_mgnt, padapter->registrypriv.smart_ps, 0, buf); } @@ -584,7 +584,7 @@ void LPS_Leave(struct adapter *padapter, const char *msg) if (pwrpriv->bLeisurePs) { if (pwrpriv->pwr_mode != PS_MODE_ACTIVE) { - sprintf(buf, "WIFI-%s", msg); + scnprintf(buf, sizeof(buf), "WIFI-%s", msg); rtw_set_ps_mode(padapter, PS_MODE_ACTIVE, 0, 0, buf); if (pwrpriv->pwr_mode == PS_MODE_ACTIVE) -- 2.30.1 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel